本文整理汇总了Golang中github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors.IsForbidden函数的典型用法代码示例。如果您正苦于以下问题:Golang IsForbidden函数的具体用法?Golang IsForbidden怎么用?Golang IsForbidden使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了IsForbidden函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: TestAuthorizationRestrictedAccessForProjectAdmins
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}示例2: doServiceAccountAPIRequests
func doServiceAccountAPIRequests(t *testing.T, c *client.Client, ns string, authenticated bool, canRead bool, canWrite bool) {
testSecret := &api.Secret{
ObjectMeta: api.ObjectMeta{Name: "testSecret"},
Data: map[string][]byte{"test": []byte("data")},
}
readOps := []testOperation{
func() error { _, err := c.Secrets(ns).List(labels.Everything(), fields.Everything()); return err },
func() error { _, err := c.Pods(ns).List(labels.Everything(), fields.Everything()); return err },
}
writeOps := []testOperation{
func() error { _, err := c.Secrets(ns).Create(testSecret); return err },
func() error { return c.Secrets(ns).Delete(testSecret.Name) },
}
for _, op := range readOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canRead && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canRead && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
for _, op := range writeOps {
err := op()
unauthorizedError := errors.IsUnauthorized(err)
forbiddenError := errors.IsForbidden(err)
switch {
case !authenticated && !unauthorizedError:
t.Fatalf("expected unauthorized error, got %v", err)
case authenticated && unauthorizedError:
t.Fatalf("unexpected unauthorized error: %v", err)
case authenticated && canWrite && forbiddenError:
t.Fatalf("unexpected forbidden error: %v", err)
case authenticated && !canWrite && !forbiddenError:
t.Fatalf("expected forbidden error, got: %v", err)
}
}
}示例3: Resolve
// Resolve searches for a template and returns a match with the object representation
func (r TemplateResolver) Resolve(value string) (*ComponentMatch, error) {
checked := util.NewStringSet()
for _, namespace := range r.Namespaces {
if checked.Has(namespace) {
continue
}
checked.Insert(namespace)
glog.V(4).Infof("checking template %s/%s", namespace, value)
repo, err := r.Client.Templates(namespace).Get(value)
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
return &ComponentMatch{
Value: value,
Argument: fmt.Sprintf("--template=%q", value),
Name: value,
Description: fmt.Sprintf("Template %s in project %s", repo.Name, repo.Namespace),
Score: 0,
Template: repo,
}, nil
}
return nil, ErrNoMatch{value: value}
}示例4: Resolve
// Resolve will attempt to find an imagestream with a name that matches the passed in value
func (r ImageStreamResolver) Resolve(value string) (*ComponentMatch, error) {
ref, err := imageapi.ParseDockerImageReference(value)
if err != nil || len(ref.Registry) != 0 {
return nil, fmt.Errorf("image repositories must be of the form [<namespace>/]<name>[:<tag>|@<digest>]")
}
namespaces := r.Namespaces
if len(ref.Namespace) != 0 {
namespaces = []string{ref.Namespace}
}
searchTag := ref.Tag
if len(searchTag) == 0 {
searchTag = imageapi.DefaultImageTag
}
for _, namespace := range namespaces {
glog.V(4).Infof("checking ImageStream %s/%s with ref %q", namespace, ref.Name, searchTag)
repo, err := r.Client.ImageStreams(namespace).Get(ref.Name)
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
ref.Namespace = namespace
latest := imageapi.LatestTaggedImage(repo, searchTag)
if latest == nil {
// continue searching in the next namespace
glog.V(2).Infof("no image recorded for %s/%s:%s", repo.Namespace, repo.Name, searchTag)
continue
}
imageStreamImage, err := r.ImageStreamImages.ImageStreamImages(namespace).Get(ref.Name, latest.Image)
if err != nil {
if errors.IsNotFound(err) {
// continue searching in the next namespace
glog.V(2).Infof("tag %q is set, but image %q has been removed", searchTag, latest.Image)
continue
}
return nil, err
}
imageData := imageStreamImage.Image
ref.Registry = ""
return &ComponentMatch{
Value: ref.String(),
Argument: fmt.Sprintf("--image=%q", ref.String()),
Name: ref.Name,
Description: fmt.Sprintf("Image repository %s (tag %q) in project %s, tracks %q", repo.Name, searchTag, repo.Namespace, repo.Status.DockerImageRepository),
Builder: IsBuilderImage(&imageData.DockerImageMetadata),
Score: 0,
ImageStream: repo,
Image: &imageData.DockerImageMetadata,
ImageTag: searchTag,
}, nil
}
return nil, ErrNoMatch{value: value}
}示例5: MakeGraph
func (d *ProjectStatusDescriber) MakeGraph(namespace string) (osgraph.Graph, util.StringSet, error) {
g := osgraph.New()
loaders := []GraphLoader{
&serviceLoader{namespace: namespace, lister: d.K},
&serviceAccountLoader{namespace: namespace, lister: d.K},
&secretLoader{namespace: namespace, lister: d.K},
&rcLoader{namespace: namespace, lister: d.K},
&podLoader{namespace: namespace, lister: d.K},
&bcLoader{namespace: namespace, lister: d.C},
&buildLoader{namespace: namespace, lister: d.C},
&isLoader{namespace: namespace, lister: d.C},
&dcLoader{namespace: namespace, lister: d.C},
}
loadingFuncs := []func() error{}
for _, loader := range loaders {
loadingFuncs = append(loadingFuncs, loader.Load)
}
forbiddenResources := util.StringSet{}
if errs := parallel.Run(loadingFuncs...); len(errs) > 0 {
actualErrors := []error{}
for _, err := range errs {
if kapierrors.IsForbidden(err) {
forbiddenErr := err.(*kapierrors.StatusError)
if (forbiddenErr.Status().Details != nil) && (len(forbiddenErr.Status().Details.Kind) > 0) {
forbiddenResources.Insert(forbiddenErr.Status().Details.Kind)
}
continue
}
actualErrors = append(actualErrors, err)
}
if len(actualErrors) > 0 {
return g, forbiddenResources, utilerrors.NewAggregate(actualErrors)
}
}
for _, loader := range loaders {
loader.AddToGraph(g)
}
kubeedges.AddAllExposedPodTemplateSpecEdges(g)
kubeedges.AddAllExposedPodEdges(g)
kubeedges.AddAllManagedByRCPodEdges(g)
kubeedges.AddAllRequestedServiceAccountEdges(g)
kubeedges.AddAllMountableSecretEdges(g)
kubeedges.AddAllMountedSecretEdges(g)
buildedges.AddAllInputOutputEdges(g)
buildedges.AddAllBuildEdges(g)
deployedges.AddAllTriggerEdges(g)
deployedges.AddAllDeploymentEdges(g)
imageedges.AddAllImageStreamRefEdges(g)
return g, forbiddenResources, nil
}示例6: verifyOpenShiftUser
func verifyOpenShiftUser(client *client.Client) error {
if _, err := client.Users().Get("~"); err != nil {
log.Errorf("Get user failed with error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
return nil
}示例7: TestBootstrapPolicyOverwritePolicyCommand
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {
masterConfig, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil {
t.Errorf("unexpected error: %v", err)
}
// after the policy is deleted, we must wait for it to be cleared from the policy cache
err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) {
_, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything())
if err == nil {
return false, nil
}
if !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
return true, nil
})
if err != nil {
t.Errorf("timeout: %v", err)
}
etcdClient, err := etcd.GetAndTestEtcdClient(masterConfig.EtcdClientInfo)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
etcdHelper, err := origin.NewEtcdStorage(etcdClient, masterConfig.EtcdStorageConfig.OpenShiftStorageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := admin.OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
}示例8: TestErrors
func TestErrors(t *testing.T) {
o := testclient.NewObjects(kapi.Scheme, kapi.Scheme)
o.Add(&kapi.List{
Items: []runtime.Object{
&(errors.NewNotFound("DeploymentConfigList", "").(*errors.StatusError).ErrStatus),
&(errors.NewForbidden("DeploymentConfigList", "", nil).(*errors.StatusError).ErrStatus),
},
})
oc, _ := NewFixtureClients(o)
_, err := oc.DeploymentConfigs("test").List(labels.Everything(), fields.Everything())
if !errors.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
t.Logf("error: %#v", err.(*errors.StatusError).Status())
_, err = oc.DeploymentConfigs("test").List(labels.Everything(), fields.Everything())
if !errors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
}示例9: verifyPruneAccess
func verifyPruneAccess(client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Verb: "delete",
Resource: "images",
}
response, err := client.ClusterSubjectAccessReviews().Create(&sar)
if err != nil {
log.Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
log.Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}示例10: verifyImageStreamAccess
func verifyImageStreamAccess(namespace, imageRepo, verb string, client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Verb: verb,
Resource: "imagestreams/layers",
ResourceName: imageRepo,
}
response, err := client.SubjectAccessReviews(namespace).Create(&sar)
if err != nil {
log.Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
log.Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}示例11: TestErrors
func TestErrors(t *testing.T) {
o := NewObjects(api.Scheme, api.Scheme)
o.Add(&api.List{
Items: []runtime.Object{
// This first call to List will return this error
&(errors.NewNotFound("ServiceList", "").(*errors.StatusError).ErrStatus),
// The second call to List will return this error
&(errors.NewForbidden("ServiceList", "", nil).(*errors.StatusError).ErrStatus),
},
})
client := &Fake{ReactFn: ObjectReaction(o, latest.RESTMapper)}
_, err := client.Services("test").List(labels.Everything())
if !errors.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
t.Logf("error: %#v", err.(*errors.StatusError).Status())
_, err = client.Services("test").List(labels.Everything())
if !errors.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
}示例12: Search
// Search searches for a template and returns matches with the object representation
func (r TemplateSearcher) Search(terms ...string) (ComponentMatches, error) {
matches := ComponentMatches{}
for _, term := range terms {
checkedNamespaces := util.NewStringSet()
for _, namespace := range r.Namespaces {
if checkedNamespaces.Has(namespace) {
continue
}
checkedNamespaces.Insert(namespace)
glog.V(4).Infof("checking template %s/%s", namespace, term)
templates, err := r.Client.Templates(namespace).List(labels.Everything(), fields.Everything())
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
for i := range templates.Items {
template := &templates.Items[i]
if score, scored := templateScorer(*template, term); scored {
matches = append(matches, &ComponentMatch{
Value: term,
Argument: fmt.Sprintf("--template=%q", template.Name),
Name: template.Name,
Description: fmt.Sprintf("Template %q in project %q", template.Name, template.Namespace),
Score: score,
Template: template,
})
}
}
}
}
return matches, nil
}示例13: NewForbidden
// NewForbidden is a utility function to return a well-formatted admission control error response
func NewForbidden(a Attributes, internalError error) error {
// do not double wrap an error of same type
if apierrors.IsForbidden(internalError) {
return internalError
}
name := "Unknown"
kind := a.GetKind()
obj := a.GetObject()
if obj != nil {
objectMeta, err := api.ObjectMetaFor(obj)
if err != nil {
return apierrors.NewForbidden(kind, name, internalError)
}
// this is necessary because name object name generation has not occurred yet
if len(objectMeta.Name) > 0 {
name = objectMeta.Name
} else if len(objectMeta.GenerateName) > 0 {
name = objectMeta.GenerateName
}
}
return apierrors.NewForbidden(kind, name, internalError)
}示例14: Search
// Search will attempt to find imagestreams with names that matches the passed in value
func (r ImageStreamSearcher) Search(terms ...string) (ComponentMatches, error) {
componentMatches := ComponentMatches{}
for _, term := range terms {
ref, err := imageapi.ParseDockerImageReference(term)
if err != nil || len(ref.Registry) != 0 {
return nil, fmt.Errorf("image streams must be of the form [<namespace>/]<name>[:<tag>|@<digest>]")
}
namespaces := r.Namespaces
if len(ref.Namespace) != 0 {
namespaces = []string{ref.Namespace}
}
searchTag := ref.Tag
if len(searchTag) == 0 {
searchTag = imageapi.DefaultImageTag
}
for _, namespace := range namespaces {
glog.V(4).Infof("checking ImageStreams %s/%s with ref %q", namespace, ref.Name, searchTag)
streams, err := r.Client.ImageStreams(namespace).List(labels.Everything(), fields.Everything())
if err != nil {
if errors.IsNotFound(err) || errors.IsForbidden(err) {
continue
}
return nil, err
}
ref.Namespace = namespace
for i := 0; i < len(streams.Items); i++ {
stream := streams.Items[i]
score, scored := imageStreamScorer(stream, ref.Name)
if scored {
imageref, _ := imageapi.ParseDockerImageReference(term)
imageref.Name = stream.Name
latest := imageapi.LatestTaggedImage(&stream, searchTag)
if latest == nil {
glog.V(2).Infof("no image recorded for %s/%s:%s", stream.Namespace, stream.Name, searchTag)
componentMatches = append(componentMatches, &ComponentMatch{
Value: imageref.String(),
Argument: fmt.Sprintf("--image-stream=%q", imageref.String()),
Name: imageref.Name,
Description: fmt.Sprintf("Image stream %s in project %s, tracks %q", stream.Name, stream.Namespace, stream.Status.DockerImageRepository),
Score: 0.5 + score,
ImageStream: &stream,
ImageTag: searchTag,
})
continue
}
imageStreamImage, err := r.ImageStreamImages.ImageStreamImages(namespace).Get(stream.Name, latest.Image)
if err != nil {
if errors.IsNotFound(err) {
// continue searching
glog.V(2).Infof("tag %q is set, but image %q has been removed", searchTag, latest.Image)
continue
}
return nil, err
}
imageData := imageStreamImage.Image
imageref.Registry = ""
componentMatches = append(componentMatches, &ComponentMatch{
Value: imageref.String(),
Argument: fmt.Sprintf("--image-stream=%q", imageref.String()),
Name: imageref.Name,
Description: fmt.Sprintf("Image stream %q (tag %q) in project %q, tracks %q", stream.Name, searchTag, stream.Namespace, stream.Status.DockerImageRepository),
Builder: IsBuilderImage(&imageData.DockerImageMetadata),
Score: score,
ImageStream: &stream,
Image: &imageData.DockerImageMetadata,
ImageTag: searchTag,
})
}
}
}
}
return componentMatches, nil
}示例15: TestBuildAdmission
func TestBuildAdmission(t *testing.T) {
tests := []struct {
name string
kind string
resource string
object runtime.Object
reviewResponse *authorizationapi.SubjectAccessReviewResponse
expectedResource string
expectAccept bool
}{
{
name: "allowed source build",
object: testBuild(buildapi.SourceBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(true, ""),
expectedResource: authorizationapi.SourceBuildResource,
expectAccept: true,
},
{
name: "denied docker build",
object: testBuild(buildapi.DockerBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(false, "cannot create build of type docker build"),
expectAccept: false,
expectedResource: authorizationapi.DockerBuildResource,
},
{
name: "allowed custom build",
object: testBuild(buildapi.CustomBuildStrategyType),
kind: "Build",
resource: buildsResource,
reviewResponse: reviewResponse(true, ""),
expectedResource: authorizationapi.CustomBuildResource,
expectAccept: true,
},
{
name: "allowed build config",
object: testBuildConfig(buildapi.DockerBuildStrategyType),
kind: "BuildConfig",
resource: buildConfigsResource,
reviewResponse: reviewResponse(true, ""),
expectAccept: true,
expectedResource: authorizationapi.DockerBuildResource,
},
{
name: "forbidden build config",
object: testBuildConfig(buildapi.CustomBuildStrategyType),
kind: "BuildConfig",
resource: buildConfigsResource,
reviewResponse: reviewResponse(false, ""),
expectAccept: false,
expectedResource: authorizationapi.CustomBuildResource,
},
}
for _, test := range tests {
c := NewBuildByStrategy(fakeClient(test.expectedResource, test.reviewResponse))
attrs := admission.NewAttributesRecord(test.object, test.kind, "default", "name", test.resource, "" /*subresource*/, admission.Create, fakeUser())
err := c.Admit(attrs)
if err != nil && test.expectAccept {
t.Errorf("%s: unexpected error: %v", test.name, err)
}
if (err == nil || !apierrors.IsForbidden(err)) && !test.expectAccept {
t.Errorf("%s: expecting reject error", test.name)
}
}
}